CVE-2026-10562
MediumCVSS 5.9Exploitation Probability (EPSS)
Low risk21th percentile — higher than 21% of all known CVEs
Summary
An unauthenticated URL redirection vulnerability has been identified in Archer AX20 V2 due to improper validation of user-supplied URL input within the web interface. An unauthenticated attacker can craft URLs containing URL-encoded path traversal sequences, which when processed by the embedded web server may cause the device to respond with HTTP 3xx redirects to attacker-controlled external domains.
Risk Assessment
The risk involves potential use of the device for phishing or other social engineering attacks, where victims are redirected to malicious sites without their knowledge, potentially leading to data theft or malware infection.
Recommendation
It is recommended to immediately update the Archer AX20 V2 firmware to a version newer than 2.1.9 Build 20230829 as soon as a patch is available from the vendor, and restrict access to the web interface to trusted networks only.
Original NVD description (English source)
An unauthenticated URL redirection vulnerability has been identified in Archer AX20 V2 due to improper validation of user-supplied URL input within the web interface. An unauthenticated attacker can craft URLs containing URL-encoded path traversal sequences. When processed by the embedded web server, these inputs may cause the device to respond with HTTP 3xx redirects to attacker-controlled external domains. This issue affects Archer AX20 V2.0: through 2.1.9 Build 20230829.

